spoint

Fail

Audited by Socket on Jul 2, 2026

11 alerts found:

Obfuscated Filex2Securityx5Anomalyx4
Obfuscated FileHIGH
apps/maps/de_dust2_kosovo.glb

The supplied fragment is largely binary asset data (WEBP/DRACO/RIFF-like blocks) and contains no executable JavaScript logic, no calls to eval/Function, no network or process operations, and no hard-coded secrets. On its face this fragment shows no direct malicious behaviors. However, embedding large opaque binary blobs in a package is an evasion surface: if another part of the package decodes and executes these blobs, that could be malicious. I recommend reviewing the package’s JS/module code that accesses or decodes these assets (any loader, dynamic evals, or native bindings) before trusting the package in a sensitive environment.

Confidence: 90%
SecurityMEDIUM
src/sdk/EditorHandlers.js
Obfuscated FileHIGH
apps/maps/awp_india_ks.glb

The provided fragment is predominantly binary asset data embedded in text, not standalone executable code. There is no conclusive evidence of malicious activity within this fragment alone, but the size, obfuscated-like presentation, and media-related headers warrant auditing of the host application's loader/decoder and any runtime decoding paths to ensure safe handling, proper integrity verification, and absence of unsafe dynamic execution.

Confidence: 90%
AnomalyLOW
scripts/patch-deps.mjs

This code functions as a post-install/dependency patcher that edits installed third-party packages in node_modules using fragile string anchor replacements, persisting changes with writeFileSync. The injected behavior is focused on graphics/shader logic, but one patch exports internal bake/readback helpers onto window/globalThis, expanding the runtime attack surface. No direct malware indicators like exfiltration, credential theft, or command execution are present in the shown fragment; however, dependency rewriting plus global hook injection is a meaningful security and supply-chain concern requiring verification of intent and correctness.

Confidence: 72%Severity: 65%
SecurityMEDIUM
src/sdk/WorkerEntry.js
AnomalyLOW
src/sdk/ServerAPI.js

This module does not show clear evidence of intentional malware or obfuscation. The primary security concerns are information disclosure and weak hardening: /debug/server exposes internal runtime metrics including process.memoryUsage() and is readable cross-origin (CORS '*'), while /debug-log logs client-supplied JSON directly to server logs. Additionally, entity spawning is driven by unvalidated local JSON fields and the /upload-model endpoint lacks authentication checks in this wrapper (actual risk depends on createUploadHandler).

Confidence: 65%Severity: 55%
AnomalyLOW
scripts/lib/gpu-eval.mjs

No direct evidence of classic malware behavior (credential theft, persistence, or non-local exfiltration) is present in this module. However, it is high-privilege automation code: it launches a headless browser with sandbox disabled and provides a powerful CDP Runtime.evaluate interface that executes dynamically constructed JavaScript in the loaded page context. If an attacker can influence the loaded URL/content or the expressions passed to evalIn (including dirExpr embedded in generated probe expressions), the impact could be severe due to reduced browser isolation. Treat this component as trusted-only and tightly control inputs to opts.url/CHROME and all code/expressions executed via evalIn.

Confidence: 60%Severity: 55%
SecurityMEDIUM
src/apps/AppLoader.js
SecurityMEDIUM
client/AppModuleSystem.js
AnomalyLOW
.github/workflows/auto-declaudeify.yml

No overt malware indicators (no exfiltration, no backdoor behavior, no suspicious remote execution) are present in this workflow fragment. However, it performs targeted provenance manipulation by rewriting commit author/committer identity and deleting specific co-author attribution lines, then force-pushes rewritten branches/tags to the remote. This creates a high-impact integrity/auditability risk and could be abused to conceal or alter history; the broad trigger scope increases operational likelihood of unintended consequences.

Confidence: 70%Severity: 62%
SecurityMEDIUM
lang/spoint.js
Audit Metadata
Analyzed At
Jul 2, 2026, 08:34 PM
Package URL
pkg:socket/skills-sh/AnEntrypoint%2Fspawnpoint%2Fspoint%2F@f8b9038570bb3015a36e6eff1c378726d3be8e70
Security Audit — socket — spoint